from the that-4th-amendment-thing dept

We've been writing about ECPA reform for ages. In case you haven't been following this, ECPA is an incredibly outdated law concerning the privacy of electronic communications. As it stands now, thanks to some oddities in the law, the government can often access your online data with little oversight (among the many oddities in the bill, it considers emails on a server for more than 180 days "abandoned" and accessible by the government without a warrant). While many politicians in Congress claim that they're in favor of ECPA reform, little ever seems to happen with it. Late last year it had looked like a deal might have been worked out whereby Congress would approve strong ECPA reform that would respect the privacy of our data, in exchange for also reforming privacy laws concerning video rental data (basically a favor to Netflix and Facebook).

Law enforcement, as always, flipped out about the ECPA reform bit, and at the very, very end of Congress, the video rental reform stuff passed while ECPA reform was left on the cutting room floor.

This week, however, ECPA reform has been brought back once again, this time in the House, by Rep. Zoe Lofgren, along with Reps. Ted Poe and Suzan DelBene. The proposed bill, called The Online Communications and Geolocation Protection Act, is embedded below. It's a strong bill, meaning law enforcement folks are likely to flip out again. Among the reforms, it would set up a clear and consistent standard for requiring a warrant for government access to electronics communication. That is, it will get rid of the hodge podge of ECPA rules that change based on how old the communications are, if it's been opened, if it's a draft, etc. Now, we just get one rule, across the board, and that rule is get a warrant. It also requires (with a few exceptions) that notice be given to the user/account holder, so that people actually know when the government goes looking through their data.

In an attempt to appease law enforcement, the bill leaves in many "exceptions," that will allow law enforcement to bypass these rules in certain cases. The bill would be stronger without these exceptions, but there's no way the bill passes without something like that in there.

As you may have realized from the name, the bill also has a section dealing with "geolocation" information. This is important because there are a bunch of ongoing fights concerning the privacy of your location data (obtained via mobile phones, GPS devices and such). As we've covered here repeatedly, the courts have been ruling every which way on the legality of law enforcement accessing this kind of data, and so the bill tries to clarify that, and puts in place prohibitions on the government intercepting location info without a warrant (with, of course, a few key exceptions -- including in an emergency, if the person gives consent or if the data is already public).

It's a good bill that deserves support. While it may not be perfect, it's a hell of a lot better than what we have now. This would be a huge step up in protecting our privacy from government intrusion, which means it's going to be an uphill battle against law enforcement interests to get it passed. That said, maybe this is finally the year when all those elected officials who claim ECPA reform is important get their act together and vote to approve real reform.

from the ecpa-reform-now dept

Google's latest transparency report, once again, highlights why we need ECPA reform in the US as soon as possible. ECPA -- the Electronic Communications Privacy Act -- is an outdated law that was supposed to be about protecting user privacy, but was written nearly three decades ago and now does exactly the opposite. Beyond being complex in ridiculous and unnecessary ways, things that were true decades ago are no longer the case. For example, the idea that emails left for 180 days on a server no longer need a warrant because under ECPA they are considered "abandoned." Whereas in the real world, where all email lives on servers for quite some time, that idea makes no sense.

Either way, the report makes clear that US government agencies are well aware that they can go trolling through Google to get information on people with little oversight. Requests -- especially requests that are purely a subpoena (with no judicial oversight) appear to continue to rise:

The largest part of that chart is the government subpoenas, meaning no judge had to look them over first:

68 percent of the requests Google received from government entities in the U.S. were through subpoenas. These are requests for user-identifying information, issued under the Electronic Communications Privacy Act (“ECPA”), and are the easiest to get because they typically don't involve judges.

Unfortunately, Congress had a chance to reform ECPA last year, and the Senate Judiciary Committee even approved it. But, right at the end of the year, Congress passed a separate bill that had been attached to ECPA reform by itself... and left ECPA reform to rot.

from the doubtful dept

As we had hoped earlier this week, the Senate Judiciary Committee did, in fact, approve Senator Patrick Leahy's attempt at ECPA reform, which would require law enforcement to do something crazy like "get a warrant" before sifting through your email. The bill was approved despite law enforcement types freaking out that they might actually have to ask a court for permission. Senator Chuck Grassley, as expected, introduced an amendment that would have greatly weakened the warrant requirement for various federal agencies, but it was thankfully voted down.

Of course, at this point, the victory is largely symbolic, as it's happening in a lameduck Congress. The bill still needs to pass the full Senate and have a comparable House version pass as well. In other words: nothing is happening until next year when this whole process may need to repeat. And given some of the quotes from Grassley and law enforcement, there will be yet another effort to strip some of these warrant requirements. Still, it's nice to see that there's at least some recognition in Congress that electronic privacy laws are woefully out of date, and leave private information, such as emails, way too open to law enforcement snooping.

from the about-time dept

We've written a few times about the urgent need to reform ECPA -- the Electronic Communications Privacy Act, which is woefully outdated, having passed in 1986. Of course, every time there's an attempt to reform it, it seems to fail, often because folks in law enforcement like the outdated law that lets them easily spy on others without a warrant. The latest attempt at ECPA reform is a mostly good proposal from Senator Leahy that (as expected) has law enforcement types livid. The crux of the reform is that law enforcement would need to get a warrant for most situations if they wanted to peer into your electronic lives. That seems entirely consistent with that quaint concept sometimes referred to as the Fourth Amendment.

Last week there was some buzz about a possible manager's amendment from Leahy that would open the door to various federal agencies being able to issue subpoenas without having to get warrants, but Leahy has since insisted that he will introduce no such amendment. Whether it was because of the outcry about it, or if it was never really intended, is a point of some debate. But, either way, the outcry did make some impact -- though not enough. There are still rumors of similar privacy destroying amendments from other Senators at the markup, which is slated for this upcoming Thursday.

In particular, it is expected that Senator Chuck Grassley is planning to sell out the 4th Amendment by offering an amendment even worse than the one discussed last week. It would take away the requirement for a warrant for many more federal agencies. Apparently, Senator Grassley thinks that the whole requirement of warrants based on probable cause before searches can take place is a recommendation, rather than the law of the land.

Given that, a bunch of groups and organizations have teamed up to set up VanishingRights.com, a site asking people to contact your Senator today, especially if they're on the Senate Judiciary Committee (list, with phone numbers, is on the website), to let them know that (a) you support ECPA reform that requires a warrant and (b) you oppose any amendment, such as Senator Grassley's that would take away that warrant requirement. The website has tools for emailing, but also phone numbers and a possible script for calling. If you can, I highly recommend that you call rather than email, as it has a much stronger impact.

If you believe that privacy matters, and that your electronic documents deserve the basic privacy that a warrant provides, rather than just letting law enforcement sniff through your emails freely, now is the time to speak up.

from the lame dept

See update at the bottom...

Back in September, we wrote about how Senator Patrick Leahy had introduced a really good bill for ECPA reform. ECPA (the Electronic Communications Privacy Act) is an incredibly outdated bill concerning (as it says) the privacy of electronic messages. It was written in a time (the mid-1980s) before everyone had email, let alone everyone used web-based, cloud-stored email. And thus, it has weird provisions, such as considering that messages stored on a server for more than 180 days are "abandonded" and thus subject to very little privacy protections. And that's just one of many, many problems with ECPA, which treats all kinds of messages differently.

Leahy's reform was pretty straightforward: it basically said that if the government wants to see your electronic info, it needs a warrant. This seems completely reasonable and something that probably should be considered the law already if the 4th Amendment were respected. Of course, almost immediately after he introduced his reform package, we noted that the law enforcement community had freaked out over the bill, saying that if law enforcement had to actually, you know, justify its activities to a judge, it might have "adverse impact" on investigations (you know, like reading the love letters of generals).

Leahy's rewritten bill would allow more than 22 agencies -- including the Securities and Exchange Commission and the Federal Communications Commission -- to access Americans' e-mail, Google Docs files, Facebook wall posts, and Twitter direct messages without a search warrant. It also would give the FBI and Homeland Security more authority, in some circumstances, to gain full access to Internet accounts without notifying either the owner or a judge.

In other words, this went from being a much needed bill to a dangerous bill very quickly. That's extremely unfortunate. ECPA reform is needed, but not this kind of reform. From what we've heard, while there is this new manager's amendment, it is not certain that Leahy will introduce this version, and may still go with his old version (or a modified version that still requires warrants). It seems important to let folks in Congress know that this possible amendment, allowing warrantless spying, is not acceptable.

Update: There's some debate over how serious this proposal was. A new report claims that this amendment wasn't likely to be seriously considered, even though it does exist. Declan McCullagh is standing by his story, and saying that the claim that this amendment won't be seriously considered is in response to the public outcry about it.

from the needed,-but-unlikely dept

Rep. Zoe Lofgren has recently announced two brand new, but important bills (pdf): there's HR 6529, which is an ECPA reform act and HR 6530, the Global Internet Freedom Act. The ECPA reform effort is one we've discussed a few times recently. It's much needed, but law enforcement officials are pushing back against it because it would require them to get warrants before spying on electronic communications -- which is something they don't want at all. Here's what the bill would do according to Lofgren's fact sheet:

The government should obtain a warrant before compelling a service provider to disclose an
individual’s private online communications.

The government should obtain a warrant before it can track the location of an individual’s
wireless communication device.

Before it can install a pen register or trap and trace device to capture real time transactional
data about when and with whom an individual communicates using digital services (such as
email or mobile phone calls), the government should demonstrate to a court that such data is
relevant to a criminal investigation.

The government should not use an administrative subpoena to compel service providers to
disclose transactional data about multiple unidentified users of digital services (such as a bulk
request for the names and addresses of everyone that visited a particular website during a
specified time frame). The government may compel this information through a warrant or court order, but subpoenas should specify the individuals about whom the government seeks
information.

All of these seem perfectly reasonable -- but given how hard law enforcement has fought against earlier ECPA reforms, it seems unlikely it'll go anywhere.

The Free Internet effort is also important, obviously, if a bit more vague. Lofgren's summary:

The Global Free Internet Act would create a Task Force on the Global Internet that identifies,
prioritizes, and develops a response to policies and practices of the U.S. government, foreign
governments, or international bodies that deny fair market access to Internet-related goods and
services, or that threaten the technical operation, security, and free flow of global Internet
communications. Members of the Task Force include the heads of several executive branch agencies,
four U.S. persons nominated by Congressional leadership, and four U.S. persons who are not
government employees nominated by the Internet itself. The Task Force would hold public hearings,
issue reports no less than annually, and coordinate the activity of the U.S. government to respond to
threats to the Internet. When the next SOPA-like legislation, restrictive international trade agreement,
or overbroad treaty from an international body becomes a threat, it is the job of this Task Force to
sound the alarm and propose a course of action

This is basically something that the government probably should have done a while ago, if it truly believed in the importance of an open and free internet... which is exactly why it, too, seems unlikely. And, of course, bills introduced at this point are unlikely to go very far, seeing as Congress is out of session for election season, only to come back briefly for a lame duck session after the election. It would be great if these bills got some attention, but unfortunately they're unlikely to do much this time around. Hopefully Lofgren introduces similar bills next year too.

from the bill-delayed dept

We recently noted that Senator Leahy had attached his mostly good ECPA (Electronic Communications Privacy Act) reform bill to another bill reforming the VPPA (Video Privacy Protection Act). The ECPA reform would update a decades-old law that law enforcement has interpreted to more or less mean they don't need a warrant to read your online email. Leahy's update would require a warrant. This is a good and important reform that should be supported. But, of course, law enforcement freaked out and it appears that Leahy has backed down, delaying hearings on the bill for now (funny how he really wanted to push through PIPA despite massive public protests, but a few law enforcement people get upset about respecting the 4th Amendment and things get delayed). From Declan McCullagh's coverage:

The delay comes two days after a phalanx of law enforcement organizations objected to the legislation, asking Leahy to "reconsider acting" on it "until a more comprehensive review of its impact on law enforcement investigations is conducted." The groups included the National District Attorneys' Association and the National Sheriffs' Association.

[....] A person participating in Capitol Hill meetings on this topic told CNET that Justice Department officials have been expressing their displeasure about requiring search warrants. The department is on record as opposing such a requirement: James Baker, the associate deputy attorney general, has publicly warned that requiring a warrant to obtain stored e-mail could have an "adverse impact" on criminal investigations.

Of course it would have "adverse impact" on criminal investigations. So do lots of things -- but those are the rules law enforcement plays by in a free society. It's not built to make law enforcement's life easy.

Either way, it appears that this bit of ECPA reform will get pushed off once again. Hopefully, when it comes back, it won't be watered down.

For what it's worth, both the EFF and the ACLU -- who strongly support ECPA reform similar to what Leahy has been proposing -- have also not been that happy with how Leahy introduced this bill, because they both oppose the changes to the VPPA, which they're afraid will weaken privacy for people. This is a (somewhat rare, but not unprecedented) situation where I disagree with both of those organizations. The VPPA was a specific and broad carve-out to deal with a single situation (bork bork bork). I think it's reasonable to update it to allow for things like letting people choose to let Netflix and social networks share info on what movies they've watched -- just like the can choose to show what music they listen to. I don't necessarily believe that it makes sense to link the VPPA to ECPA reform, but I don't think that passing the VPPA reform is so problematic that it should stop ECPA reform. Of course, if law enforcement has its way (and so far, that seems to be the case), ECPA reform might never happen. Is it really worth worrying about how you can choose to share your Netflix movies on Facebook while the Justice Department feels it can snoop broadly through your Gmail?

from the ecpa-reform dept

The Electronic Communications Privacy Act (ECPA) is ridiculously outdated. It was passed in 1986, and to this day provides the (incredibly inconsistent and difficult to apply) rules for what sort of privacy electronic communications have, even though the technology has changed drastically. This has created some wacky consequences, including that (for example) emails have different privacy protections when an email is being written compared to when it's being sent compared to when it's been received compared to when it's been read compared to when it's been archived. As an example, since most messages did not stay on servers for very long (they were downloaded and deleted), the law decided that messages stored on a server for more than 180 days were considered "abandoned" and subject to even lower standards of privacy protections. Think about that the next time you open your Gmail account... ECPA has lots of problems, but the basics are this: it certainly didn't anticipate an era where most of the things we do were in the so-called "cloud," and it takes almost no account of the expectation of privacy.

Last year, Senator Pat Leahy introduced an ECPA reform bill that was mostly good. It basically said that if the government wants to get access to your data on a server, it first needs to obtain a warrant -- something that is sorely missing today. There were some loopholes that concerned us, but for the most part, it was a very big improvement. And it went nowhere. Now, many folks around here will remember Senator Leahy for being the driving force in the Senate behind PIPA -- and you may be quick to want to dismiss his actions here. But just because he's (strongly) supported that bad bill, it doesn't mean that everything he introduces has been similarly problematic.

Leahy is trying again to move forward with his ECPA reform plan, this time attaching it to an update of the Video Privacy Protection Act (VPPA). We've discussed the VPPA before. The short version is that it was a special law that bars the release of video rental info, passed in response to Supreme Court nominee Robert Bork having his video rental history leaked. But, of course, in this modern age where people automatically stream their music playlists or book purchases to Facebook... Netflix is left out in the cold, because the VPPA doesn't allow them to do the very same thing. So, there's an update to the VPPA making the rounds that basically changes the law to let you tell the world what you streamed from Netflix last night (if you so choose to share that kind of info).

That bill has a chance to actually go somewhere, and it looks like Leahy sees it as another chance to see if he can get his ECPA reform package through the Senate. While it's no secret that I've had my differences with various Leahy proposals in the past, this is a reform that is badly needed to protect our privacy from government intrusion. Requiring a warrant to access your info in the cloud is a common sense move that's long overdue.

from the what-happens-next dept

I'm usually not one for the typical "end of year" summaries of what happened over the preceding twelve months, but Dave Kravets at Wired has put together an excellent post, bringing together a series of separate events that showed that politicians were quite eager to pass new draconian intellectual property laws all year, but shied away from anything that involved protecting our civil liberties. Reading through the article, it's a really sad statement over how the past year went from a politics perspective.

Of course, it will be interesting to see the coming backlash over this. We're already seeing the beginning elements of a reaction over SOPA (as well as the massive support for Ron Paul) and 2012 may make for an interesting year. Declan McCullough is wondering if the internet world is ready to "go nuclear" in the effort to stop SOPA/PIPA next year. As with anything, I think that there will be some mistakes made along the way, but as the internet community gets more organized and more vocal, I do wonder if these two trend lines (more draconian IP laws and less civil liberties protections) can really continue to move in the same direction much longer.

from the seriously? dept

Well, this is disappointing. As you probably know, about a year ago, Google admitted to accidentally collecting some data from open WiFi networks via its Google Street View cars. The cars were setup not just to photograph streets, but to do some location-based tracking by cataloging WiFi networks (a very common location setting technique). If you understand basic technology, you can understand what they were doing, and how it was almost certainly not to capture data from the network, but just to determine location info. Furthermore, the only data it collected was from open WiFi networks where people were transmitting unencrypted data in the open. This was data that was being broadcast.

But, lots of people don't understand technology and people around the world, including in governments, freaked out about this data collection. So, of course, people started filing highly questionable class action lawsuits. As more and more such lawsuits were filed, they were all consolidated into a single court. Earlier this year, we noted that the judge was trying to determine if Google's actions amounted to an illegal wiretap under ECPA (the Electronic Communications Privacy Act).

If you understand how wireless networks work, the idea that this is wiretapping is hilarious. And wrong. This is data that is broadcast in the open. Anyone can read it. You don't need special equipment or anything. You just need basic software to see what data is traveling across the network.

Tragically, the judge has gone the other way on this point (so far). Google had asked for the wiretapping/ECPA claim to be dismissed, as it claimed (quite reasonably) that it wasn't wiretapping. The judge put together an astoundingly confused ruling that decides otherwise. While the link here blames the wording of ECPA, which is certainly partly to blame, I think the judge's confusion over the technology is equally at fault. Basically, it's true that ECPA is somewhat vaguely worded, but it does say that:

It shall not be unlawful under this chapter or chapter 121 of this title for any person... to intercept or access an electronic communication made through an electronic communication system that is configured so that such electronic communication is readily accessible to the general public

Furthermore, the statue defines "readily accessible to the general public... with respect to a radio communication" by saying that it is the case if the communication is "not scrambled or encrypted."

So, this should be open and shut. An open WiFi network is clearly readily accessible to the general public by its nature. And the statute doubles down on that point by noting that the communication was not scrambled or encrypted, and thus is, by the definition in the statute, "readily accessible to the general public."

So we're done here. Right? Not unlawful. Except... no. The judge instead goes through some of the most convoluted reasoning imaginable to try to claim that data transmitted over WiFi is not radio communication. Say what now? It is true that ECPA was drafted before WiFi existed, but that doesn't mean it's not a radio communication. That's what all wireless communication is. It's a form of radio communication. That's just basic technology. But not to this judge. And, thus, Google doesn't get to dismiss the wiretapping charges. Hopefully they'll appeal and somewhere up the chain this will be corrected.